jamfprotectalerts_CL
| extend
algorithm = "SHA256",
Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")
query: |
jamfprotectalerts_CL
| extend
algorithm = "SHA256",
Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml
name: Jamf Protect - Alerts
entityMappings:
- fieldMappings:
- columnName: DvcHostname
identifier: HostName
- columnName: DvcOs
identifier: OSFamily
- columnName: DvcOsVersion
identifier: OSVersion
entityType: Host
- fieldMappings:
- columnName: Host_IPs
identifier: Address
entityType: IP
- fieldMappings:
- columnName: TargetProcessCurrentDirectory
identifier: CommandLine
- columnName: TargetProcessId
identifier: ProcessId
entityType: Process
- fieldMappings:
- columnName: algorithm
identifier: Algorithm
- columnName: TargetBinarySHA256
identifier: Value
entityType: FileHash
suppressionDuration: PT5H
suppressionEnabled: false
alertDetailsOverride:
alertDynamicProperties:
- value: EventVendor
alertProperty: ProviderName
- value: EventProduct
alertProperty: ProductName
- value: Techniques
alertProperty: Techniques
alertSeverityColumnName: EventSeverity
alertDescriptionFormat: '{{EventResultMessage}} - Please investigate'
alertDisplayNameFormat: '{{EventMessage}} detected on {{DvcHostname}}'
alertTacticsColumnName: Tactics
requiredDataConnectors:
- connectorId: JamfProtect
dataTypes:
- jamfprotectalerts_CL
description: |
'Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel'
kind: NRT
incidentConfiguration:
groupingConfiguration:
lookbackDuration: PT5H
reopenClosedIncident: false
matchingMethod: AllEntities
enabled: false
createIncident: true
version: 1.0.6
eventGroupingSettings:
aggregationKind: AlertPerResult
status: Available
severity: High
relevantTechniques:
customDetails:
Protect_Tags: Tags
TargetBinarySigner: TargetBinarySigningTeamID
Related_File_hash: TargetBinarySHA256
Protect_Analytic: EventMessage
TargetbinarySign: TargetbinarySignerType
Protect_Event_Type: EventType
TargetBinarySignMsg: TargetBinarySigningInfoMessage
Related_Binaries: TargetBinaryFilePath
JamfPro_Status: JamfPro
tactics:
id: 6098daa0-f05e-44d5-b5a0-913e63ba3179
